[Samba] wbinfo -i -> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Michael Adam
obnox at samba.org
Fri Nov 20 07:16:31 UTC 2015
Hi Jeff,
On 2015-11-17 at 18:12 -0500, Jeff Dickens wrote:
> Created a new thread because I screwed up and top-posted.
>
>
> So I am still stuck. For reference here is the smb.conf on the member
> server:
>
> root at florence:~# more /etc/samba/smb.conf
> [global]
>
> netbios name = FLORENCE
> security = ADS
> workgroup = IOL
> realm = IOL.SEAMANPAPER.COM <http://iol.seamanpaper.com/>
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> # idmap config used for your domain.
> # Choose one of the following backends fitting to your
> # requirements and add the corresponding configuration.
> # idmap config ad
> # - idmap config rid
> # - idmap config autorid
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config IOL:backend = ad
> idmap config IOL:schema_mode = rfc2307
> idmap config IOL:range = 1000000-9999999
>
> winbind nss info = rfc2307
>
>
> [home]
> path=/home/
> read only = No
>
>
> I increased the range because it seems like the DC is using IDs above
> 1,000,000. This is on the DC:
>
> root at athens:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root at athens:~# wbinfo -i administrator
> administrator:*:0:100::/home/IOL/administrator:/bin/false
> root at athens:~# wbinfo -i test1
> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
> root at athens:~#
>
>
> And on the member server:
>
> root at florence:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root at florence:~# wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
> root at florence:~# wbinfo -i test1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~#
>
> Also:
>
> root at florence:~# wbinfo -n test1
> S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
> root at florence:~# wbinfo -n administrator
> S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1)
>
> Thought it might have something to do with the fact that the Kerberos user
> tools were not installed -but I set them up and no change.
That should be irrelevant.
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~#
>
> I found a note about a missing link to libnss_winbind.so.2.. fixed that and
> no difference.
That should not make a difference for wbinfo either.
> So it can list the users but not get the IDs... So it seems to have some
> kind of authentication issue.
So it is important to understand that you have not
been testing just ID-Mapping but nsswitch-level integration.
With 'wbinfo -i test1' you test the functionality that would be
used by 'getent passwd test1' through nsswitch. These are highly
aggtregate commands that do a lot of different calls.
To understand if id-mapping is the problem, you can use wbinfo
like this:
# wbinfo -n test1
S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
# net cache flush
# wbinfo -S S-1-5-21-870066441-3049097475-1009130827-1105
(or wbinfo --sid-to-uid FOO)
and check the result. If this fails, you should look into
/var/log/samba/log.winbindd-idmap for clues.
Note that 'net cache flush' will make sure that the idmap
request is not answered from the cache but winbindd will
go out to the server.
You may want to increase samba's debug level and redo the
test if there is no clue in there.
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20151120/e6580980/signature.sig>
More information about the samba
mailing list